Welcome!

Microsoft Cloud Authors: Janakiram MSV, Yeshim Deniz, David H Deans, Andreas Grabner, Stackify Blog

Related Topics: Microsoft Cloud, Microservices Expo, Containers Expo Blog, Cloud Security

Microsoft Cloud: Tutorial

RDP Exploitation Using Cain

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server.  RDP is designed to support different types of network topologies and multiple LAN protocols.  Remote Desktop Services formerly know as Terminal Services on Windows 2000 Server allow a server to host multiple, simultaneous client sessions.  Remote Desktop uses Remote Desktop Services technology to allow a single session to run remotely.  Thus a user can connect to a Remote Desktop Session Host server by using Remote Desktop Connection (RDC) client software.

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”.  Cain is compiled using Microsoft Visual C++ and linked as a single executable file named “Cain.exe”.  Developed with a simple Windows graphical user interface, its main purpose is to concentrate several hacking techniques and proof of concepts providing a simplified tool focused on the recovery of passwords and authentication credentials from various sources.

Windows 2008 R2 has added some remote desktop services to its server such as RemoteApp, RD gateway, and RD Visualization Host.  The windows server role now provides increased flexibility to deploy individual applications or full desktops via RDS or a VDI solution.  The following is a list of Windows 2008 R2 individual applications that are available to users over the Remote Desktop Protocol (RDP).

  1. Remote Desktop Virtualization
  2. Remote Desktop IP Virtualization
  3. RDP & Remote Desktop Connection version 7.0
  4. Fair Share CPU scheduling
  5. Windows Installer compatibility
  6. True multiple monitor support for up to 16 monitors
  7. RDS Provider for PowerShell

With these new improvements the door is open for potential security issues depending on how you deploy RDS.  So RDS included a number of security mechanisms to help make RD connections more secure such as Network Level Authentication (NLA), Transport Layer Security (TLS), Group Policy, RD Web Access, and RD Gateway. 

NLA requires that the user be authenticated to the RD Session Host server before a session is created.  This helps protect the remote computer from malicious users and malware.  The client computer must be at Windows XP service pack 3 or above to use NLA.  Transport Layer Security (TLS) can use one of three security layers for protecting communications between the client and the RDS Session Host server:

  • RDP security layer – uses native RDP encryption and is least secure
  • Negotiate – TLS 1.0 (SSL) encryption used if the client supports it
  • SSL – TLS 1.0 encryption will be used for server authentication and encryption of data sent between the client and Session Host server.  This is the most secure.  You will need a digital certificate, which can be issued by a CA or self-signed.


This security can be all for not with some lax controls and an effective formidable foe using Cain on your network segment.  Cain runs on windows machines (Windows 9x & Windows NT/2000/XP) below is a screenshot of the interface. (see figure #1)

In this tutorial I have Cain running on a Windows XP machine and placed in the same network segment as a Windows 7 machine that is communicating with a Windows 2008 R2 server.  Below is a list of the IP address assignments.


Figure 1: Cain screenshot

Windows 7                          192.168.1.114
Windows XP (Attacker)     192.168.1.125
Windows 2008 R2             192.168.1.113

When you fire up Cain you will be given a gui interface with a list of decoders, network, sniffer, cracker, traceroute, CCDU, wireless, and query tabulated across the top.  The first thing you want to do is select you interface by clicking on the sniffer icon at the top.  If you have more than one interface then you need to select the appropriate interface for your work.  This will start the sniffer and allow you to see what devices are available on the network segment (see Figure #2). 

Next you can select what devices you would like to sniff traffic to and from (see Figure #3).  Now you are ready to arp poison the network segment between your Windows 7 and Windows 2008 R2 Server by clicking on the radioactive button you will notice the status will change from idle to poisoning (see Figure #4).


Figure 2: Devices available on network segment

Now that the attack is set we need to go to our Windows 7 client and RDP into our Windows 2008 R2 server.  Now if you are doing this on a recent installation of Windows 2008 R2 server than you will have no problems within the first 120 days.  After that the grace period is over and a license server needs to be installed and activated.  But if your company is like most that I have worked for then money is tight and if there is a way found to get around purchasing a license all the better.  A Client Access License (CAL) is required for each client requiring access to Windows Server 2008 Terminal Services.  Once installed you can utilize the features I listed above to secure your RDP sessions.  But if your like most organizations you can always find a way around this license requirement.


Figure 3: Select devices you want to sniff traffic to and from

When you try connecting to the Windows 2008 R2 Server after the 120 day grace period via RDP you will get this error message if you don't have your Client Access License setup and configured (see Figure #5).

Figure 4: Status change from idle to poisoning

Figure 5: Error message

The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license.  Please contract the server administrator.  Now when the client in this case the Windows 7 machine – connects to an RD Session Host server it determines if an RDS CAL is needed.  The server then request an RDS CAL from a Remote Desktop license server on behalf of the client (Windows 7) and issued to the client and able to connect to the RD Session Host server (Windows 2008 R2).  But windows allows for 2 RDP sessions to the host machine even without the license server.  Network Administrators who do maintenance on servers (ie check status, run updates, etc) can RDP in  with the admin command like so: mstsc /v: IP_or_hostname /admin

Make sure there is a space after the IP address and before the /admin.  Many Network Administrators using this function disregard the identity of the remote computer warning message and connect anyway. (see Figure #6)

Figure 6: mstsc command and RDP warning message

Now we can connect from our Windows 7 client to our Windows 2008 R2 Server using RDP (see Figure # 7).


Figure 7: RDP login screen

Once we are provide the login information and password we are given access to our Windows 2008 R2 Server (see Figure #8).  Now lets go back and see what information Cain has saved for us running on our attack machine Windows XP (see Figure #9)


Figure 8:  Administrator Desktop of Windows 2008 Server R2

Figure 9: Files saved in ARP RDP (2)

This file that is saved pulls out keystrokes from the decrypted log file made by Cain and you can do this by hand or you can get the script by Adrian Crenshaw owner of irongeek.com.  The script is written in AutoIt v3 and works quite well.  Here is a screenshot of the parsed file run through Adrian's script (see Figure #10).



Figure 10: log parsed with Adrian's script

References on the Web:

 

Let pbnetworks get your pen test on target



Visit us and learn how http://pbnetworks.net
How secure is your network?

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

@ThingsExpo Stories
SYS-CON Events announced today that Datera will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera offers a radically new approach to data management, where innovative software makes data infrastructure invisible, elastic and able to perform at the highest level. It eliminates hardware lock-in and gives IT organizations the choice to source x86 server nodes, with business model option...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, will discuss how from store operations...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, will discuss some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he’ll go over some of the best practices for structured team migrat...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they bu...
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
Digital transformation is changing the face of business. The IDC predicts that enterprises will commit to a massive new scale of digital transformation, to stake out leadership positions in the "digital transformation economy." Accordingly, attendees at the upcoming Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA, Oct 31-Nov 2, will find fresh new content in a new track called Enterprise Cloud & Digital Transformation.
SYS-CON Events announced today that N3N will exhibit at SYS-CON's @ThingsExpo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. N3N’s solutions increase the effectiveness of operations and control centers, increase the value of IoT investments, and facilitate real-time operational decision making. N3N enables operations teams with a four dimensional digital “big board” that consolidates real-time live video feeds alongside IoT sensor data a...
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp emp...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
SYS-CON Events announced today that Avere Systems, a leading provider of hybrid cloud enablement solutions, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere Systems was created by file systems experts determined to reinvent storage by changing the way enterprises thought about and bought storage resources. With decades of experience behind the company’s founders, Avere got its ...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere delivers a more modern architectural approach to storage that doesn't require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbui...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japanese Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ruby Development Inc. builds new services in short period of time and provides a continuous support of those services based on Ruby on Rails. For more information, please visit https://github.com/RubyDevInc.
SYS-CON Events announced today that CAST Software will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CAST was founded more than 25 years ago to make the invisible visible. Built around the idea that even the best analytics on the market still leave blind spots for technical teams looking to deliver better software and prevent outages, CAST provides the software intelligence that matter ...
As businesses evolve, they need technology that is simple to help them succeed today and flexible enough to help them build for tomorrow. Chrome is fit for the workplace of the future — providing a secure, consistent user experience across a range of devices that can be used anywhere. In her session at 21st Cloud Expo, Vidya Nagarajan, a Senior Product Manager at Google, will take a look at various options as to how ChromeOS can be leveraged to interact with people on the devices, and formats th...
SYS-CON Events announced today that Yuasa System will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Yuasa System is introducing a multi-purpose endurance testing system for flexible displays, OLED devices, flexible substrates, flat cables, and films in smartphones, wearables, automobiles, and healthcare.